In February 2026, YieldBlox’s DAO-managed lending pool, built with Blend on the Stellar blockchain, was the victim of a price oracle manipulation attack. By manipulating the only trade in the Reflector oracle's pricing window for the USTRY/USDC trading pair, the attacker stole an estimated $10.2 million from the pool.
Inside the Attack
The YieldBlox hack is a classic example of a price oracle manipulation attack. In this case, the attacker took advantage of the fact that the USTRY/USDC market on the Stellar blockchain had extremely low liquidity, including no trades in the 15 minutes before the attack. This was because the pool’s only market maker withdrew all liquidity from the pool.
Reflector — the oracle used by that pool — is a volume-weighted average price (VWAP) oracle. Thus, the lack of trading meant that a single malicious trade would largely define the pricing of the trading pair.
The attacker exploited this fact by placing a sell offer for USTRY for 501 USDC per USTRY, massively inflating the real price. Using a second account, they then performed a trade against that offer, buying 0.05 USTRY at a price of about 106.7 USDC. Since this trade dominated the window for the Reflector VWAP oracle, the price of USTRY was inflated to about $106, a 100x increase over the real $1.05 value.
With this new price, the attacker’s existing USTRY holding was considered significantly overcollateralized, allowing them to take out a massive loan against it. They used this to borrow 61.25 million XLM and 1 million USDC, the entirety of the pool’s reserves. These actions sparked many liquidation actions, causing additional damage to the pool’s users.
In total, approximately $10.2 million worth of tokens was stolen from the protocol. However, $7.2 million of this was frozen within the attacker’s accounts by Stellar Tier-1 validators. The protocol offered a 10% bounty with a 72-hour deadline that the attacker ignored.
Lessons Learned from the Attack
This incident took advantage of a unique set of circumstances. The withdrawal of the market maker meant that the USTRY/USDC saw no real trading volume for a period, opening the door for manipulation of the Reflector VWAP oracle. This oracle worked as designed, quoting accurate prices for the trading pair and window in question.
This incident could have been prevented by implementing safeguards such as minimum liquidity thresholds and volume requirements, circuit breakers, and multi-source price aggregation. For help with protecting your liquidity pool from similar exploits, get in touch.